Latest Entries »

The hacking collective LulzSec has announced that it will not release News International emails, which the group says it acquired by hacking the website of “The Sun” earlier this week. Instead, LulzSec said it will work with selected media outlets on the emails, a tactic similar to WikiLeaks’ partnership with the press. The hacker collective Anonymous also announced today that it has broken into NATO computer servers, and published two documents, purportedly from the military alliance. Yesterday, I spoke to Sam Bowne, a hacking expert who teaches ethical hacking at City College San Francisco, about the tactics used by groups such as Anonymous and LulzSec.

RFE/RL: Do you think that groups like Anonymous or LulzSec are hacking with ethics in mind? 

Sam Bowne: The “hacking” word doesn’t get me in as much trouble as the “ethical” term, exactly for that reason. Anonymous, for example, claims that what they’re doing is ethical because they see themselves as political protesters furthering some sort of high-minded agenda. LulzSec made it very clear that they have no ethics at all and they would even tell anybody that asked them for ethical concerns “forget about us and go talk to Anonymous.” But then, they seem to have attempted to make their stuff seem more politically important with hacking Murdoch and stuff. But that’s not what I mean by ethics at all. I have a much simpler idea. What we do here is legal. This is business ethics, professional ethics, where you obey the law and you don’t lie to people about what you can do, you don’t sell them defective products. That’s what I mean. Very simple, professional ethics, not the sort of metaphysical ethics where they’re “making the world better,” even if they’re breaking the law. And that’s why these “hacktivists” feel like their cause is so important it’s OK to break the law. To further their cause.
RFE/RL: I realize it’s hugely debatable what’s in the public interest, what’s not in the public interest, and hacking is illegal, but do you think there are cases where if something was in the public interest, it would be morally or ethically acceptable to break the law in order to expose that information and make it public?
Bowne: Well, there are certainly cases of whistleblowers, and there are even laws to cover that in America anyway, and I think elsewhere, where if you’re, for example, working for a company and you discover they’re doing something horrible like killing people at your company, you are allowed to violate the confidentiality rules of your company to tell the police about that. And there are also cases in which you’re allowed to break the law for an emergency like you’re allowed to drive fast if someone is really dying in the back seat and you’re going to the hospital and such. So I certainly understand cases like that.
LulzSec, I think, is utterly irresponsible and there’s no excuse at all for what they’re doing. I mean, they’re just dumping entire password databases of the U.S. military on the web which is insane. It doesn’t help anybody. And Anonymous, you know. Some of the overseas people, like in Egypt, say Anonymous is really helping them in a revolt against the government. I don’t know enough about what happens in Egypt to judge that. Their actions in America I have no sympathy for because they seem to just senselessly hate all authority figures and they seem to just be taking a bunch of clueless teenagers, lying to them, and turning them into criminals. So I don’t think much of that.
RFE/RL: Do you see moral or ethical differences between what the “News of the World” has done, for instance hacking into individual’s phones, or by LulzSec hacking into “The Sun.” Is there a moral equivalency here or are these different cases? 
Bowne: Well, I mean, they’re both wrong. They’re both illegal. I think they’re both going to get caught and punished. So, I’m just thinking two wrongs don’t make a right. And I also don’t see any real purpose to the LulzSec attack because I don’t think there was some secret hidden stuff about what the News of the World did that would never have come out without them hacking in. So it’s not clear to me that them hacking accomplished anything. It was mostly just a prank so they could laugh about it, which is what LulzSec has always been about.
RFE/RL: They’re saying they have this email dump that’s going to blow the lid on the whole thing. If it did indeed show that they exposed some greater malpractice at the “News of the World” that we previously didn’t know about, I suspect there will be a lot of people, especially within the tech community, who might think the ends justify the means here.
Bowne: Well, yes a lot of people do think that. I again do not agree because if you just dump an entire email, you cause a lot of collateral damage to innocent people. If you did have some proof that Rupert Murdoch did something unknown and illegal, there would also be a bunch of innocent emails there from people talking to their doctors about medical problems or about their secret love affairs and other things that really are not criminal and yet will harm people to just dump it out. Here, for example, WikiLeaks is more responsible than that. If you wanted to release it they could just send it to WikiLeaks and WikiLeaks actually screens things and only dumps the part that appears to be important and not all the innocent victims’ names. So would a newspaper. They could send it to a major newspaper and those people wouldn’t just willy-nilly dump the entire email log. And that’s what you should do. That’s responsible disclosure of such information — although it’s still illegal for them to steal it. But what they’re doing is the same thing as a terrorist who hates one person but it’s more convenient to blow up a whole cafe. They’re just doing what’s easiest for them instead of doing carefully what’s right. What they really ought to do of course is proper law enforcement where you have a search warrant, and you have a subpoena for the email, and you’re patient and let it take a year to get it the right way. That’s why we have all these procedures.
RFE/RL: Turning to WikiLeaks, I know WikiLeaks says they don’t hack, but there has been some anecdotal evidence suggesting that they might engage in hacking, but no smoking gun certainly.
Bowne: I’m not even aware of the anecdotal evidence. What evidence is there that WikiLeaks hacks anybody?
RFE/RL: There was the piece in “The New Yorker” profile of Assange that claimed they got some of their initial documents through an Internet eavesdropping operation, where they were getting traffic from Tor [a system that enables online anonymity]. 
Bowne: Yeah, I’ve heard that, but I’ve never seen any evidence of it. Although that’s not even really hacking, I think — although it might be, I guess.
RFE/RL: So there doesn’t seem to be a smoking gun, but from an outsider’s perspective, Julian Assange has been a hacker in the past, comes from a hacking background, and is surrounded by hackers. There is a loosely affiliated network. And even though Anonymous isn’t officially connected to WikiLeaks, they’re supporters and in many ways ideologically they’re very similar. Isn’t all of that — it’s not compelling evidence that WikiLeaks hacks — but you might start to ask questions about WikiLeaks and where they obtain their information. Just as in the same way you might ask questions about where “News of the World” private investigators would obtain their information. 
Bowne: Oh sure it’s quite reasonable to ask the question, and I think there’s no doubt that some of the information of WikiLeaks did originate in a hack. Essentially the stuff that came from the U.S. military that presumably came from [Bradley] Manning, that was a sort of hack, where you make a secret copy and leak it out. But I think the point there is apparently Manning committed a crime, but I don’t think Julian Assange had committed a crime to publish stuff that comes to him.
RFE/RL: Turning to denial of service attacks, which seem to be the tactic of choice recently for some of these script kids, do you see that as digital vandalism or more akin to a cyber sit-in? 
Bowne: I really don’t think much of the sit-in analogy. A lot of people say that Anonymous is morally and legally justified to take down sites with denial of service. The difference between that and a sit-in is that in a sit-in you are physically present and you permit the police to arrest you. Here is where Anonymous reveals their complete lack of moral fiber. If you really want to protest the law and you want to break the law, Gandhi and Martin Luther King showed how to do this. You stand up in public with your real name and you let the police arrest you for doing something like blocking traffic and then this causes a public examination of why you did that and whether your cause is important. But these guys hide on the Internet, take down a site and run away so they escape the punishment. That creates fear because people justifiably think that they could be the next victim. It shows a lack of commitment. They don’t put their real name on anything and they’re not ready to take any consequences. It shows a lack of moral purity and I think it’s very clear that in fact, they do not choose their victims carefully. They just want to hurt somebody like an angry street gang, and they just get together and pick someone who appears to be unpopular at the moment to be their latest victim. And when they run out of victims, they do like what LulzSec did. They open a phone line so anybody can call in and they’ll attack anybody whose name appears on the phone line. The fun is the fight. It’s not like they have any cause or any principle or any goal. They just like attacking things on the Internet. It’s just a game to them.
RFE/RL: When I’ve spoken to Anonymous activists before and raised the sit-in analogy, they’ve said that actually they do put themselves on the line and they are at risk of being punished. As we’ve seen recently, Anonymous and LulzSec activists have been arrested. So they’re arguing that what they’re dong there, hacktivism, does face the consequences of punishment. 
Bowne: Just like every other criminal they make every possible effort to protect themselves. Occasionally they fail and go to prison. They are breaking the law, but their moral position is terrible. And if you go to the pages where you download the “low orbit ion cannon” [an application used for denial of service attacks], their tool of choice, it actually contains statements that you will not get caught because when the attack starts, the servers will crash and the logs will be lost and you can always claim that you were just infected by a virus. Those statements are all absolutely false and anybody with any knowledge of computer security can instantly spot them as false. They tell teenagers to do it.
What’s really going on here is there’s a group of people who are my age, in their 40s and 50s, a small group at the core, that are recruiting young children and using them as disposable weapons — tricking them into doing attacks and then letting them go down. It really is morally deplorable. And that’s why it got me involved in being a strong vocal opponent of this because the people they’re hurting are like my students. Some of my young students might fall for this and participate, feel like they’re saving the world, and then discover that now they can’t get a legitimate job anymore because they’ve been busted for computer crime. I just hate to see it. It’s taking people who are idealistic but naive, and could be productive, and deflecting them into a world of crime.
RFE/RL: Do you really think that groups like LulzSec and Anonymous are run by a very small core of hackers? 
Bowne: Oh yes, I think absolutely that is correct in both cases. Anonymous is so very low-tech that there are just groups using the name that are not led by [such] people but there were a small number of leaders that have really come out that set rules and such. I think they don’t have a lot of authority so there are a bunch of splinter factions. But LulzSec doesn’t pretend anything else. There are only six of them, and three or four have sort of drifted away. They know who they are, they’ve been well profiled and they have public identities — all under fake names of course — but there’s no question. They’re not even much of a group. There’s just six people doing it and then a bunch of people cheering them on or condemning them.
RFE/RL: When I read the tech press, I often find that the tone of the coverage about groups like Anonymous tends to be either sometimes positively cheerleady and perhaps other times, it’s not cheerleady, but certainly less critical than perhaps it should be. Have you noticed that in the tech press as well?
Bowne: Oh yes and I think it’s easy to understand: they are afraid. They don’t want to be the next target.
RFE/RL: Do you think it just comes down to fear? Or do you think it comes down to the way that hackers are somehow, for the digerati, the digital rock stars of the day, the Che Guevara. That there’s some sort of mystique about their technical prowess that they can do such things. So is it just fear, or is it a bit of both? 
Bowne: If anybody has any admiration for the technical prowess of Anonymous they’ve got to be out of their mind. Anonymous doesn’t know anything. The “low orbit ion cannon” is a piece of junk and they can’t even hack into a server with a SQL exploit. Now, LulzSec has made it up to being only about 15 years out of date in their computer security knowledge. They know how to run one or two automated tools that dump the contents of vulnerable servers and they are improving rapidly. There’s schools for Lulz that published the techniques of crime that they use and I’ve been studying those. Some of those are interesting and perhaps worth using as homework for my students. But none of these guys have any technically advanced skills. They’re just doing stuff that anybody in their right mind would be smart enough not to do for non-technical reasons, like attacking NATO and the FBI, you’re just out of your mind! You’re just going to go to prison and accomplish no good and everybody else can see that. They’re just the people that are too mentally and ethically deranged to see that they’re destroying themselves.
RFE/RL: Within the hacking community, how typical or how rare are views like yours about ethical hacking? Are you in a minority do you think or are you the consensus? 
Bowne: I think I’m more strict and more determined to obey the law than most, but I think in practice almost all professionals do it my way and I have some evidence for that because the people who are criminals and the people who cheer on the criminals are exaggerated online. They’re trolls essentially and they like to scream about their position. I posted an article about a year ago saying the sort of thing I’ve been saying to you about how Anonymous is wrong and how a guy named the Jester is wrong. A bunch of people complained, so I set up a poll saying among people who are certified professionals with a CISSP [Certified Information Systems Security Professional] for a certified ethical hacker. Those credentials come with a code of ethics. You must obey the law and various other things. If you don’t do those things you will lose your credentials. I said, among people with that credential, how many of you actually obey the rules? The answer was 80 to 90 percent of them said they did. So I think most people do obey the law, but of course most of them don’t do it out of a deep inner conviction that they believe in the law, they just do it because they’re afraid of prison or something, but I think they do.
RFE/RL: In the discussion of the tech press, you talked about fear. I don’t come from a technical background, I’m learning on the job about hacking, but when I first started writing about Anonymous, it did cross my mind, and I did have genuine fear for a few moments, that some people at Anonymous could hack into my computer and put some child pornography on there or do something terrible. I did have that feeling. I’ll be honest, I was worried about being too critical. Is that what you meant by fear when you said that about how people in the tech press treat them? 
Bowne: Yes, absolutely, and it is well justified. It’s the same thing as a person might be reluctant to criticize Islamic terrorists or the Irish Republican Army because if you manage to get their attention they might kill you. And those things do happen. There was a case where a man was caught planting child pornography on his boss’s computer. And I’m sure for every one of those caught 10 of them get away with it. I mean, that is the nuclear strike of this industry. If someone were to get you, suspected as a pedophile it would all be over for you and you’d have very little chance of ever defending yourself. However, Anonymous is too technically incompetent to do that. LulzSec is not, but there are a certain amount of vigilantes out there, absolutely. And I think if you manage to attract their attention, they’re not messing around. But the people who are really dangerous are the organized crime people who are making money off this, like the people who write viruses. Those people are the old-school organized crime and they do show up and just kill people. They kidnapped a malware researcher’s daughter and sold her into prostitution. So there are real dangerous criminals here and it’s a thing to be aware of.

Cyber activists associated with Anonymous have issued an official communiqué in response to an ongoing international crackdown against the collective.

The communiqué also addresses recent statements made by deputy assistant FBI director Steve Chabinsky.

“We want to send a message that chaos on the Internet is unacceptable,” Chabinsky told NPR on July 20th.

“[Even if] hackers can be believed to have social causes, it’s entirely unacceptable to break into websites and commit unlawful acts.”

Anonymous countered Chabinsky’s statements by listing what it found unacceptable, beginning with “governments lying to their citizens and inducing fear and terror” to keep them in control by dismantling their freedom piece by piece.

The hacker group also singled out corporations “aiding and conspiring with said governments,” while simultaneously lobbying and collecting billions of funds for federal contracts they can’t fulfill.

“These governments and corporations are our enemy. And we will continue to fight them, with all methods we have at our disposal, and that certainly includes breaking into their websites and exposing their lies,” the group continued.

“We are not scared any more. Your threats to arrest us are meaningless to us [because] you cannot arrest an idea. Any attempt to do so will make your citizens more angry until they will roar in one gigantic choir. It is our mission to help these people and there is nothing – absolutely nothing – you can possibly do to make us stop.”

Anonymous also noted that the Internet has always been the Wild Wild West, with the government exercising limited control over the digital frontier.

“[Still], that does not mean that everyone behaves like an outlaw. You see, most people do not behave like bandits if they have no reason to.

“We become bandits on the Internet because you have forced our hand. The Anonymous bitchslap rings through your ears like hacktivism movements of the 90s. We’re back – and we’re not going anywhere. Expect us.”

 

Source Link

Hacker collectives LulzSec and Anonymous have sent a new message to the U.S. FBI after the law enforcement agency promised to increase the ferocity of its campaign against hacking.

The statement was directed at the comments made by FBI director Steve Chabinsky to NPR.

The comment: “We want to send a message that chaos on the Internet is unacceptable, [even if] hackers can be believed to have social causes, it’s entirely unacceptable to break into websites and commit unlawful acts,” was singled out in the two groups’ joint statement.

Responding to the comment, the joint LulzSec and Anonymous statement wrote: “Now let us be clear here, Mr. Chabinsky, while we understand that you and your colleagues may find breaking into websites unacceptable, let us tell you what WE find unacceptable.”

The statement went on to post three bullet points highlighting key practices the two hacktivists could not abide:

“Governments lying to their citizens and inducing fear and terror to keep them in control by dismantling their freedom piece by piece.

“Corporations aiding and conspiring with said governments while taking advantage at the same time by collecting billions of funds for federal contracts we all know they can’t fulfil.

“Lobby conglomerates who only follow their agenda to push the profits higher, while at the same time being deeply involved in governments around the world with the only goal to infiltrate and corrupt them enough so the status quo will never change.”

The three bullet points mirror those contained in Anonymous previous Operation Anti-Security — commonly referred to as AntiSec — campaign’s mission statement.

The campaign has already seen the two collectives mount ongoing assaults against numerous companies and governments. These include regular assaults on websites owned by the Turkish Government, a new ongoing campaign against oil companies damaging the American Heartland’s forests and numerous hacks on several big-name U.S. military contractors.

Departing from the groups usual policy of referring to its members as pirates or ninjas, the statement went on to refer to its members as modern day “outlaws”.

The point was addressed to Chabinsky’s comment: “The Internet has become so important to so many people that we have to ensure that the World Wide Web does not become the Wild Wild West.”

In response the group wrote: “Let me ask you, good sir, when was the Internet not the Wild Wild West? Do you really believe you were in control of it at any point? You were not.

“That does not mean that everyone behaves like an outlaw. You see, most people do not behave like bandits if they have no reason to. We become bandits.”

Anonymous followed the statement with a tweet linking to a video showing a law professor explaining why an individual should never voluntarily agree to be interviewed by the police.

The statement comes just after the U.S., U.K. and Dutch law enforcement agencies reported the arrest of as many as 20 suspected Anonymous members. The FBI accounted for 16 of these and has confiscated the computers of several other individuals for “further investigation.”

 

Source Link

A leaked government report has revealed that police servers were only protected by cheap software, making a recent hack on databases much easier. Police were forced to shut down several servers with data on serious criminals.

 

This month’s attack on police servers by the “No Name Crew” hackers had much more serious consequences than previously thought, according to a report in news magazine Focus.

According to the magazine, the government’s newly founded cyber-defence department, the Federal Office for Information Security (BSI) reported internally on Friday that every single server of the police’s spy programme “Patras” had been infiltrated by hackers.

Patras is used to locate serious criminals and terrorist suspects by gathering information from GPS systems in cars and mobile phones. It is used by both state and federal police forces, as well as Germany’s customs officers.

Following the cyber-attack, which took place earlier this month, all of the relevant servers had to be shut down to prevent more data being stolen.

According to the internal BSI report to the German interior ministry, the “No Name Crew” even hacked the central database of the federal police, in Swisstal-Heimerzheim in North Rhine-Westphalia.

This could lead to hundreds of confidential police investigations appearing on the internet. “That is pretty much the worst thing that could happen,” an anonymous security officer told Focus.

The report said the hack came about because the police did not adequately protect its servers, using what was described as “cheap protection software.” It also said that “fundamental security measures” such as “dealing with passwords” had been ignored.

The No Name Crew had previously hacked the servers of the far-right National Democratic Party and published sensitive information including a list of its donors.

 

Source Link

Hacking group claims to have 4GB of emails taken from an alleged hack on servers at the Sun, but won’t make them public for fear of jeopardising ongoing legal actions

 

The Lulzsec hacking group, which this week claimed to have obtained 4GB of emails taken from the Sun’s servers, has decided not to publish them for fear of jeopardising ongoing legal actions in the UK and US.

However, an expert in email security procedures has warned the Guardian that the hack itself could undermine ongoing legal cases.

In a tweet sent from the @anonymousIRC account, which has 124,000 followers, a spokesman for the group said: “We think, actually we may not release emails from the Sun, simply because it may compromise the court case.”

This may not be enough to prevent News Corporation, parent company of Sun publisher News International, challenging the admissibility of email evidence in future court cases, according to one information security professional.

“Post-Enron, new US laws were passed requiring all corporations to keep immutable email archives for legal compliance purposes. These are often provided by independent third parties,” he said.

“Depending on whether Lulzsec got their material from this archive, rather than an old News International server, it’s possible News Corporation will be able to argue their email archive can’t be trusted in court as it’s been compromised.”

The claimed email cache is said to have been obtained after a hacking attack against News International on Tuesday night during which members of LulzSec apparently broke into computer systems there and redirected readers of the Sun’s website to a faked page claiming News Corp chief executive Rupert Murdoch had been found dead.

Different members of the wider Anonymous hacking collective claimed the emails were taken from a seperate hack of News International’s offsite backup centre in India. Establishing from exactly which server – if any – emails were obtained could prove crucial to keeping email admissable in a future court case.

Some accounts belonging to Anonymous also began tweeting email addresses and passwords for staff at News International, including what seemed to be an email account and password for Rebekah Brooks under her previous married name of Wade while at the Sun.

The password appeared to be valid based on the contents of the tweet, which included the encrypted form of the password.

News International reacted by closing down all external access to its webmail systems and forcing users to reset their passwords.

The company declined to comment at the time on whether the hackers might have had external access to email accounts, but the fact that it shut down the access suggests that it feared they might.

Equally, the hackers almost certainly would not have begun tweeting details of their find without having first exploited it.

Contacts within Anonymous have told Guardian journalists that News International’s email systems were being probed last week and that downloads were being made then.

Lulzsec said they would now seek to release extracts of the emails they collected through media outlets.

“We’re currently working with certain media outlets who have been granted exclusive access to some of the News of the World emails we have,” said a tweet from the official @Lulzsec feed.

 

Source Link

The notorious LulzSec hacking outfit is preparing to release a batch of emails stolen from the accounts of News International journalists after breaking into the company’s computer network.

LulzSec surprised everyone on Monday when it suddenly came out of retirement with a defacement The Sun’s website.

The hacking group also claimed that it obtained access to the email accounts of several journalists, including News International’s former CEO Rebekah Brooks.

Sabu, one of LulzSec’s members, said at the time that the group planned to dump the emails on the Internet the following day and called onto journalists to sift through them and expose the dirt.

However, it seems the group has since changed its mind and opted for an approach similar to the one used by WikiLeaks.

We’re currently working with certain media outlets who have been granted exclusive access to some of the News of the World emails we have,” LulzSec announced on Twitter hours ago.

It remains to be seen if the emails, if released, will expose more unethical behavior inside News International. They won’t probably reveal anything new about the News of the World phone hacking scandal, but plenty of questionable things are to be expected in any company’s internal email.

Meanwhile, LulzSec seems to be back in full force. According to Sabu, News International emails are not the only data the group has in its possession. “We are working on: 4GB of Sun mails, SCADA, Royal Family dumps, Federal Contractors (4), Foreign banks (2) and others. Busy, busy, busy,” he said.

The outfit’s members remain as cocky as ever. In an open letter published today together with Anonymous, the group says there’s nothing law enforcement agencies can do to stop them or their movement.

 

Source Link

LulzSec has abandoned plans to release a cache of News International emails it claimed to have acquired during a redirection attack on The Sun website earlier this week. Instead the group says it plans to release select batches of the emails via a “partnership” with select media outlets, an approach akin to that applied by WikiLeaks to its controversial US diplomatic cable and war log releases last year.

The activist collective returned to action after disbanding last month in order to launch an attack on the Murdoch empire that resulted in surfers visiting The Sun being redirected towards a fake story on the supposed death of media mogul Rupert Murdoch. The group repeatedly said it had also extracted email archives during this hack, but uncharacteristically delayed their release. This distinguishes the hack from earlier Anonymous hacks on HBGary and ACS:Law, where email archives were uploaded by the hacktivists around the same time as the websites were defaced.

Sabu, a prominent affiliate of LulzSec, has repeatedly said the promised dump of emails from News International was imminent, most recently in a series of Twitter updates (here and here) on Thursday lunchtime, which claimed the group was sitting on an 4GB archive.

However, minutes later, Anonymous – the hacktivist organisation that re-absorded LulzSec after the latter group disbanded earlier this month – said it had abandoned plans to release these emails. “We think, actually we may not release emails from The Sun, simply because it may compromise the court case,” it said.

LulzSec later said that it planned to release select extracts of the email batch via selected media outlets. “We’re currently working with certain media outlets who have been granted exclusive access to some of the News of the World emails we have,” it said.

The names of the “media outlets” concerned have yet to be revealed. Any mainstream media outlet that published the information may have some ethical qualms about dealing with the anarchic hacking collective, whose previous targets have most controversially included the Arizona Police Department and SOCA, the UK policing agency.

Neither LulzSec or Anonymous, whose stock in trade has been denial of service attacks and information extraction against numerous targeted organisations, has shown any respect for legal niceties or possible collateral damage from its releases before.

Thus far, LulzSec has only posted email hashes of a small number of NI workers, along with the supposed email password of Rebekah Brooks dating from the time she edited The Sun.

News International responded to the attack by suspending access to its webmail and remote access systems and applying a forced password reset.

In what initially appeared as an attempt to divert attention away from the topic of the NI international hack, Anonymous posted various low-value NATO documents.

The “NATO Restricted” documents posted may sound impressive but this is in fact the lowest possible level of protective marking/classification.

“We are sitting on about one Gigabyte of data from NATO now, most of which we cannot publish as it would be irresponsible,” the group said.

 

Source Link

Thursday morning the notorious Internet hacktivist collective known as Anonymous announced via Twitter successfully hacking into NATO’s online security, and in so doing obtaining a vast amount of restricted information.

Anonymous reports they managed to obtain a gigabyte of restricted information from NATO (North Atlantic Treaty Organisation). However, they have only published a tiny fraction of the information, claiming it would be “irresponsible” to publish much of the sensitive and restricted information.
In response to news of the online security breach, NATO announced they are beginning a full scale investigation:

NATO security experts are investigating these claims. We strongly condemn any leak of classified documents, which can potentially endanger the security of NATO allies, armed forces and citizens.

The successful hack of NATO by Anonymous is part of a larger campaign: Operation Anti-Security (#antisec). The following is an excerpt from a manifesto explaining Operation Anti-Security:

Welcome to Operation Anti-Security (#AntiSec) – we encourage any vessel, large or small, to open fire on any government or agency that crosses their path.  To increase efforts, we are now teaming up with the Anonymous collective and all affiliated battleships.

Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments. If they try to censor our progress, we will obliterate the censor with cannonfire anointed with lizard blood.

Source Link

In June, The Tech Herald reported on information given to us by Ryan Cleary shortly before his arrest. The story centered on an AT&T insider who handed sensitive information and a bootable USB disk over to Anonymous. On Tuesday, the FBI arrested an AT&T employee connected to the leak, during a nationwide sweep targeting Anonymous.

An indictment unsealed in the District of New Jersey charges Lance Moore, 21, of Las Cruces, N.M., with the alleged theft of confidential business information stored on AT&T’s servers. The indictment goes on to mention that he uploaded the information to a public file hosting service, which The Tech Herald can confirm to be fileape.com.

The public first learned of the AT&T files from a Torrent release by LulzSec. The documents were included in the group’s final release before they disappeared from the public eye. The release also marked the second major data leak under the AntiSec movement, which has targeted both government and private sector organizations since its founding. In addition to documents, the insider leak also included a bootable USB drive used by AT&T.

In May, while interviewing Cleary for a separate story, he bragged about the AT&T leak, and the fact an insider delivered the information and software to Anonymous. “…an employee of AT&T gave us loads of shit…,” he said.

Cleary’s comments were confirmed by two additional sources. One of them, a person linked to LulzSec itself, and the other an associate of Anonymous familiar with the data. On Tuesday, these two additional sources were raided and arrested, as law enforcement in the U.S., U.K., and the Netherlands, coordinated in sweeps against Anonymous.

At the time of the original story, AT&T had no comment on the data leak. Phone calls and emails seeking comments on the arrest have not been returned.

As mentioned previously, the leaked documents include more than 60,000 phone numbers, each one linked to an iPhone 3G, 3GS, or iPhone 4. Each of them was assigned to IBM employee at one point. The leaked data also included server names and IP addresses, with a corresponding username and password, for both development and production usage on AT&T’s internal network.

Moreover, other leaked documents, such as the various meeting notes, emails, AT&T’s 4G/LTE testing data, internal presentations, and a random assortment of technical documentation, were included in the data delivered to Anonymous and the public as a whole.

At the time our story first ran, we highlighted the risks that insiders can pose. Given all of the information in the AT&T files, and the fact they are in the public domain, there is plenty of detail to launch a targeted Phishing attack. Such attacks have been linked to security incidents targeting government contractors as well as Fortune 100 and 500 companies.

According to the New Jersey complaint, Moore used his access as a customer support contractor to access all of the information he is charged with leaking. When he uploaded the files, only a select few had access to it. Then just over a month later, they were released by LulzSec.

More details on the nationwide sweep by the FBI can be seen here.

Note: For those who want to read the court documents related to the FBI raids, redacted copies are published on publicintelligence.net

If the charges prove correct, Moore faces 10 years in prison and a $250,000 USD fine for his actions.

 

Source Link

The federal government plans to shut 40 percent of its computer centers over the next four years to reduce its hefty technology budget and modernize the way it uses computers to manage data and provide services to citizens.

Computer centers typically do not employ many people to tend the machines, but analysts estimate that tens of thousands of jobs will most likely be eliminated.

The federal government is the largest buyer of information technology in the world, spending about $80 billion a year. The Obama administration, in plans detailed Wednesday, is taking aim at some of that by closing 800 of its sprawling collection of 2,000 data centers. The savings, analysts say, will translate into billions of dollars a year and acres of freed-up real estate.

The government is following the lead of private business. For years, companies have been using software that shares computing tasks across several machines in a data center. The task-juggling technology enables computers to run at far higher levels of efficiency and utilization than in the past, doing more computing chores with fewer computers and fewer data centers.

In an interview, Vivek Kundra, chief information officer for the federal government, explained that the data center consolidation was part of a broader strategy to embrace more efficient, Internet-era computing. In particular, the government is shifting to cloud computing, in which users use online applications like e-mail remotely, over the Internet. These cloud services can be provided by the government to many agencies or by outside technology companies.

Tapping cloud computing services, Mr. Kundra said, could save the government an additional $5 billion a year, reducing the need for individual government agencies to buy their own software and hardware.

Shawn McCarthy, an analyst at IDC, a research firm, said, “The data consolidation is really part of a much larger reworking of information technology by the government. You start with the technology plumbing, but the goal is more responsive and efficient government services.”

This week’s announcement, analysts say, is a significant step along that path, naming 178 data centers to be closed in 2012. It is the second step in the program. In April, 137 computer centers were singled out to be shut down by the end of this year.

But government officials say the federal agencies are moving faster than the initial plans, with a total of 195 closings now scheduled by the end of 2011. That would help lift the total to 373 data centers by the end of 2012.

The government, though late in starting, is on track for a particularly aggressive winnowing of its data centers, encouraged by the need for budgetary belt-tightening. “It is ambitious,” said Darrell M. West, an expert in government and technology policy at the Brookings Institution. “In an era of massive deficits, the federal government has to figure out ways to get more efficient. The data center consolidation is part of that process.”

The cost savings simply from running fewer data centers is estimated at more than $3 billion a year. There is an environmental impact too, since data centers are power-hungry. By one estimate, an average data center consumes the energy equivalent of 200 residential homes.

The data centers to be shut down are varied in size. One facility run by the Department of Homeland Security in Alabama covers 195,000 square feet, the size of more than three football fields. But some of the data centers to be eliminated are less than 1,000 square feet in size.

The total opportunity for savings is so large, Mr. Kundra explained, because for years each government agency tended to buy and build its own technology systems. Across the federal government, he noted, hundreds of different software programs are used for financial accounting and hundreds of different ones for human resources management. The population of federal data centers swelled from 432 in 1998 to more than 2,000 by last year.

“Redundant systems and applications sprouted like weeds,” Mr. Kundra said. “We need to shift resources away from duplicative systems and use them to improve the citizen experience.”

More and more services will go online, said Mr. Kundra, so the focus should be less on overall technology spending by government than on using technology more efficiently to deliver government services, especially collecting and presenting data in useful ways.

As one example, he pointed to the Web site Healthcare.gov. It enables people to compare health insurance coverage and pricing options offered by private companies and the government, and to compare quality scores for hospitals and nursing homes, based on government data.

The shift to modernized computer services has already started. For example, nearly 140,000 employees at the General Services Administration and Department of Agriculture have moved to cloud-based e-mail, Mr. Kundra said, saving about $42 million a year. Google provides the cloud e-mail for the G.S.A, while a Microsoft cloud service is used by the Agriculture Department.

Mr. Kundra declined to estimate the job impact of eliminating hundreds of data centers. The closings are determined by technology managers in the federal agencies. Data centers are not huge employers, as military bases are, for example. Yet even in the first wave of closings, Mr. Kundra said, “We have had some pushback from members of Congress, but tough decisions have to be made.”

None so far, he said, have been reversed.

 

Source Link